WHAT IS CLAIMED IS : 

A system for detecting and selectively removin^viruses in data 
transfers, the system comprising: 

3 a memory for storing data and routines, the memfory having inputs and 

4 outputs, the memory including a server/or scanning data for a 

5 virus and specifying data handling ajirions dependent on an 

6 existence of the virus; 

7 a communications unit for receiving a^d sending data in response to 

8 control signals, the commun^ations unit having an input and an 

9 output; and 

10 a processing unit for receiving^ignals from the memory and the 

11 communications unityfind for sending signals to the memory and 

12 communications urilt; the processing unit having inputs and 

13 outputs; the inpi^s of the processing unit coupled to the outputs of 

14 memory and tMe output of the communications unit; the outputs of 

15 the processing urvit coupled to the inputs of memory, the input of 

16 the communications unit, the processor controlling and processing 

17 data transmitted through the communications unit to detect 

18 virusej^ and selectively transfer data depending on the existence of 

19 viruses in the data being transmitted. 



The system of cD^iyl, wherein the server includes: 
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2 a proxy server for receiving data to be transferred, the proxy sgilver 

3 scarming the data to be transferred for viruses and/controlling 

4 transmission of the data to be transferred aco^ming to preset 

5 handing instructions and the presence o^iruses, the proxy server 

6 having a data input, a data output ana a control output, the data 

7 input coupled to receive the data/to be transferred; and 

8 a daemon for transferring daW from the proxy server in response to 

9 control signals from tha^rom^ server, the daemon having a control 

10 input, a data input ajraJa dataWtput, the control input of the 

11 daemon couplecLro the Vontrol output of the proxy server for 

12 receiving cmra-ol signals, and the data input of the daemon coupled 

13 to the d^a output of the proxy server for receiving the data to be 

14 tra^ferred, 

1 3. The system of claim 2, wherein Irie proxy server is a FTP proxy 

2 server that handles evaluation and transfe/ of data files, and the daemon is an 

3 FTP daemon that communicates with a/ecipient node and transfers data, files to 

4 the recipient node. / 

1 4. The system of claim 2, wherein the proxy server is a SMTP proxy 

2 server that handles evaluatioyf and transfer of messages, and the daemon is an 

3 SMTP daemon that commuriicates with a recipient node and transfers messages 

4 to the recipient node. / 
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1 A computer implemented method £or detecting viruses in data 

2 transfers between a first computer and a second computer, the method 

3 comprising the steps of: / 

4 receiving at a server a data transfier request including a destination 

5 address; / 

6 electronically transmitting data to the server; 

7 determining whether the/data contains a virus at the server; 

8 performing a preset a^ion on the data using the server if the data contains 

9 a virus; and/ 

10 sending the dat^to the destination address if the data does not contain a 

11 virus./ 

1 ^ ^, The method of claim^^, further comprising the steps of storing the 

2 data in a temporary file at the server after the step of electronically transmitting; 

3 and wherein the step of determining includes scanning the data for a virus 

4 using the server. 

1 uv^ \ 7. The method of cl^m 6, wherein the step of scanning is performed 

2 /usmg in signature scanningyprocess. 
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The method of claim'^, wherein the step of performing a preset 
action on the data using the server comprises performing one step from the 
group of: 

transmitting the data unchanged; 

not transmitting the data; and 

storing the data in a file with a new name and notifying a recipient of the 
data transfer request of the new file name. 



9, The method of claim 5, further/comprising the steps of: 
determining whether the data is o^a type that is likely to contain a virus; 
and 



transmitting the data from 
performing the stet)s 



\e 



rver to the destination without 
)f scanning, determining, performing and 



! 



sending, if the iiata is not of a type that is likely to contain a virus. 



10. The method of claim 9 /wherein the step of determining whether 
the data is of a type that is likely t6 contain a virus is performed by comparing an 
extension type of a file name foiy the data to a group of known extension types. 



)tfC, The method of claim^, further comprising the steps of: 
determining whether the data is being transferred into a first network by 

comparing the destination address to valid addresses for the first 

network; 
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5 wherein the server is a FTP proxy server; 

6 wherein the step of electrordcally^^fl«»itt^ data comprises the steps of 

7 transferring the data from a cHent node to the FTP proxy server, if 

8 the data is not being transferred into the first network; and 

9 wherein the step of electronically tmnsmrttif^data comprises the steps of 

10 transferring the data from a server task to an FTP daemon, and then 

11 from the FTP daemon to the FTP proxy server if the data is being 

12 transferred into the first network. 

1 ' The method of claimj^ further comprising the steps of: 

2 determining whether the data is being transferred into a first network by 

3 comparing the destination address to valid addresses for the first 

4 network; 

5 wherein the server is a FTP proxy server; 

6 wherein the step of sending the data to the destination address comprises 

7 transferring the data from the FTP proxy server to a node having 

8 the destination address, if the data is being transferred into the first 

9 network; and 

10 wherein the step of sending the data to the destination address comprises 

11 transferring the data from the FTP proxy server to a FTP daemon, 

12 and then from an FTP daemon to a node having the destination 

13 address, if the data is not being transferred into the first network. 



-30- 



1 p?^. A computer implemented method/for detecting viruses in a mail 

message transferred between a first comput^ and a second computer, the 

3 method comprising the steps of: / 

4 receiving a mail message request including a destination address; 

5 electronically transmitting the mail message to a server; 

6 determining whether the mail message contains a virus; 

7 performing a preset acti/n on the mail message if the mail message 

8 contains a viru/* and 

9 sending the mail message to the destination address if the mail message 
10 does not crontains a virus. 

1 14. The method of clairftv/s, wherein the step of determining whether 

2 the mail message contains a vir^^B^ performed by scanning the mail message for 

3 encoded portions. / 

1 15. The method of claim 14, wherein the step of scanning the mail 

f 2 message for encoded portions searches for uuencoded portions. 

1 16. The method of clainyi4, wherein: 

2 the step of sending the m/il message to the destination address is 

3 performed if theymail message does not contain any encoded 

4 portions; / 

5 the server include/ a SMTP proxy server and a SMTP daemon; and 
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the step of sending the mail message comprisesiMffsferring the mail 
message from the SMTP proxv^sefver to the SMTP daemon, and 
transferring the maUjaet^age from the SMTP daemon to a node 
having an ajidfess matching the destination address. 



1 



ii 



The method of claim )2C wherein the step of determining whether 
the mail message contains a virus, further comprises the steps of: 
storing the message in a temporary file; 
scanning the temporary file for viruses; and 
testing whether the scarming step found a virus. 



18. The method of claim 13, wherein/the step of determining whether 
the mail message contains a virus, further comprises the step of: 

determining whether the mail message contains any encoded portions; 
storing each encoded portion ofm^ mail message in a separate temporary 
file; 

decoding the encoded portioi(sK)f the mail message to produced decoded 

portions of the mai/ message; 
scanning each of the d^oded portions for a virus; and 
testing whether the scanning step found any viruses. 

19. The method of claim 18, wherein step of scanrung is performed 
using in signature scarmin/ process. 
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1 20. The method of claim 14, wherein the step of performing preset 

2 action on the mail message comprises performing one step from me group of: 

3 transferring the mail message unchanged; / 

4 not transferring the mail message; and / 

5 storing the mail message as file with a new name And notifying a recipient 

6 of the mail message request of the new flie name; and 

7 creating a modified mail message by writing the output of the determiiung 

8 step into the modified mail message and transferring the mail 

9 message to the destination address. 

1 21. The method of claim 18, Wherein the step of performing a preset 

2 action on the mail message comprises performing one step from the group of: 

3 transferring the mail message unchanged; 

4 transferring the mail message with the encoded portions having a virus 

5 deleted; and / 

6 renaming the encod/ portions of the mail message containing a virus, and 

7 storing the /enamed portions as files in a specified directory on the 

8 server ana notifying a recipient of the renamed files and directory; 

9 and / 

10 writing thus output of the determining step into the mail message in place 

11 o/ respective encoded portions that contain a virus to create a 

12 ymodified mail message and sending the modified mail message. 
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^jsr An apparatus for detecting viruses in data transfers between a first 
computer and a second computer, the apparatus comprising: 

means for receiving a data transfer request including a destination address; 
means for electronically ^fa-'ansm il b ii Tg data jtp a server; 
means for determining whether the data contains a virus at the server; 
means for performing a preset action on the data using the server if the 

data contains a virus; and 
means for sending the data to the destination address if the data does not 
contain a virus. 



23. The apparatus of claip 22, wherein means for determining includes 
a means for scanning that scans/he data using in a signature scanning process. 

The apparatus of claim wherein the means for performing a 
preset action comprises: 

means for transmitting the data unchanged; 
means for not transmitting the data; and 

means for storing the data in a file with a new name and notifying a 
recipient of the data transfer request of the new file name. 

The apparatus of claim^, further comprising: 
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a second means for determining whether the data is of a type that is likely 

to contain a virus; and 
means for transmitting the data from the server to the destination 

without performing the steps of scanning, determining, performing 

and sending, if the data is not of a type that is likely to contain a 

virus. 



determining whether the data is being transferred into a first network by 
comparing the destination address to valid addresses for the first network. 
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